Least Privilege in Practice for SaaS Teams
Everyone agrees with least privilege in principle. The hard part is running it in a fast-moving SaaS company without grinding engineering to a halt.
By Kellwick Team · July 14, 2026 · 5 min read
Least privilege is one of those principles nobody argues with and few companies actually run. Give people only the access they need, and no more. Simple to say. In a SaaS company shipping daily, with engineers who need to debug production at 2am and a team that doubles in a year, it is genuinely hard to operate without slowing everyone down. This post is about doing it in practice, not in theory.
What least privilege really means day to day
Least privilege is not a one-time cleanup. It is a continuous property of your access model: at any given moment, each person and each system holds only the access their current role requires, and that access is removed when the need ends.
The failure mode is access accretion. Someone joins, gets access for their first project, moves to another team, picks up more access, covers for a colleague, keeps that too. Nothing is ever taken away because taking access away feels risky and nobody owns the decision. After two years your longest-tenured engineers can touch almost everything, and your blast radius if any one account is compromised is enormous.
The goal is not to make access hard to get. It is to make access match reality and to shrink automatically as roles change. Access should be easy to grant, easy to see, and easy to remove.
Design around roles, not individuals
Granting access person by person does not scale and cannot be reasoned about. The workable approach is to define access in terms of roles, then assign people to roles.
Think in terms of a small number of well-defined roles that map to how people actually work:
- A backend engineer on a given service needs deploy access to that service and read access to its logs, not admin over the whole cluster.
- A support engineer needs a scoped tool to look up customer records, not direct database access.
- A data analyst needs read access to the warehouse, not write access to production.
When access is attached to roles, two things get easier. Onboarding becomes "assign the role," and offboarding or a team move becomes "change the role." You stop reasoning about hundreds of individual grants and start reasoning about a handful of role definitions you can actually review and understand.
The most sensitive question is standing production access. In many SaaS companies, broad, permanent production access for every engineer is the single biggest source of excess privilege. The strong pattern is that routine work happens through pipelines and tooling, and direct production access is scoped, time-limited and granted when there is a genuine need, rather than held permanently by default.
Joiners, movers and leavers are where it breaks
Most access problems trace back to poor handling of the three moments when access should change: joining, moving and leaving.
Joiners should receive a defined baseline for their role and nothing more. Resist the habit of copying an existing employee's access, which is how one person's accreted permissions become the template for everyone after them.
Movers are the most neglected case. When someone changes team or role, their old access is rarely revisited, so they accumulate permissions from every position they have held. A role change should trigger a review of what they still need, not just an addition of what they now need.
Leavers must lose access promptly and completely, across every system, not just the obvious ones. The forgotten accounts, the third-party tools, the shared credentials and the personal access tokens are where offboarding leaks. This is both a security necessity and one of the first things an auditor will test.
The practical fix is to route all three through a defined process tied to your HR system and identity provider, so that a change in employment status drives a change in access automatically wherever possible. Manual, memory-based offboarding will always miss something.
Break-glass access without breaking the principle
Engineers will occasionally need elevated access in a hurry: a production incident, a data fix, an emergency. If your only options are permanent broad access or a slow approval queue, people will quietly keep the broad access, and least privilege dies in practice.
The answer is a deliberate break-glass path. Elevated access can be requested and granted quickly when it is genuinely needed, but it is time-limited, logged, and reviewed after the fact. The access expires automatically. The request and its use leave a clear record. Someone checks afterward that it was warranted.
This gives you the best of both. Engineers are not blocked during a real emergency, and elevated access does not silently become permanent. The logged, expiring nature of break-glass access is also strong evidence for an audit, because it shows privilege is controlled even in exceptional cases.
Reviews that catch drift
Even a good access model drifts. People change roles, projects end, exceptions get made. Periodic access reviews are how you catch that drift before it compounds.
The common mistake is to make reviews so large and manual that they become box-ticking. A reviewer handed a thousand-line spreadsheet will approve the lot without reading it, and the review proves nothing. Keep reviews scoped and meaningful:
- Review by system or by team, so each reviewer sees a set they actually understand.
- Put the review in the hands of someone who knows whether the access is justified, usually the team lead, not a central function guessing.
- Make the default action removal of anything unclear. Access someone cannot justify in a review is access they probably do not need.
Run these on a regular cadence and retain the record of each one. Done well, reviews both keep your access model honest and produce clean, continuous evidence that least privilege is operating, which is exactly what ISO 27001 expects to see.
Bottom line
Least privilege in a real SaaS company is not about locking things down until work stops. It is about attaching access to roles, handling joiners, movers and leavers through a reliable process, giving engineers a fast and logged path to elevated access when they genuinely need it, and reviewing regularly to catch drift. Get those right and you shrink your blast radius without slowing delivery. If you want to know how your current access model would hold up under scrutiny, a Kellwick readiness review can pinpoint where privilege has quietly accreted and how to bring it back into line.
Where this fits
ISO 27001
Pass the audit. We find what blocks Stage 1 before the certification body does.
Read the ISO 27001 hubNeed a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.